IPSEC 5.6

Greg

IPSEC 5.6

« on: August 18, 2003, 05:10:36 PM »

I set up two new servers, one on a DSL and one on a T1 but I can't get Freeswan to connect between them. I have never been able to make 5.6 work. I have 5.5 running fine between 3 production servers.
I must be doing something wrong.

Local networks
Network Subnet mask Number of hosts Router
192.168.3.0 255.255.255.0 256

IPSEC VPNs setup:
Remote ID Remote Host Remote Internal IP Remote Internal Subnet Mask
64.83.34.68 64.83.34.68 192.168.3.1 255.255.255.0

[root@SME561 root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:29:54:B1:D9
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
EtherTalk Phase 2 addr:65280/178
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6443 errors:0 dropped:0 overruns:0 frame:0
TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:666926 (651.2 Kb) TX bytes:17535 (17.1 Kb)

eth1 Link encap:Ethernet HWaddr 00:E0:29:54:AD:F6
inet addr:66.149.149.218 Bcast:66.149.149.223 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1986 errors:0 dropped:0 overruns:0 frame:0
TX packets:782 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:208914 (204.0 Kb) TX bytes:196842 (192.2 Kb)

ipsec0 Link encap:Ethernet HWaddr 00:E0:29:54:AD:F6
inet addr:66.149.149.218 Mask:255.255.255.248
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:0 (0.0 b) TX bytes:5450 (5.3 Kb)

[root@SME561 root]# ipsec eroute
0 66.149.149.218/32 -> 64.83.34.68/32 => %trap
0 66.149.149.218/32 -> 192.168.3.0/24 => %trap
0 192.168.2.0/24 -> 64.83.34.68/32 => %trap
0 192.168.2.0/24 -> 192.168.3.0/24 => %trap

Local networks
Network Subnet mask Number of hosts Router
192.168.2.0 255.255.255.0 256

IPSEC VPNs setup:
Remote ID Remote Host Remote Internal IP Remote Internal Subnet Mask
66.149.149.218 66.149.149.218 192.168.2.1 255.255.255.0

[root@SME562 root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:06:29:05:F4:10
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
EtherTalk Phase 2 addr:65280/37
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2500 errors:0 dropped:0 overruns:0 frame:0
TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:251707 (245.8 Kb) TX bytes:9283 (9.0 Kb)

eth1 Link encap:Ethernet HWaddr 00:E0:29:54:B4:39
inet addr:64.83.34.68 Bcast:64.83.34.71 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:625 errors:0 dropped:0 overruns:0 frame:0
TX packets:580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:92555 (90.3 Kb) TX bytes:97194 (94.9 Kb)

ipsec0 Link encap:Ethernet HWaddr 00:E0:29:54:B4:39
inet addr:64.83.34.68 Mask:255.255.255.248
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0 dropped:21 overruns:0 carrier:0
collisions:0
RX bytes:0 (0.0 b) TX bytes:4142 (4.0 Kb)

[root@test562 root]# ipsec eroute

2 64.83.34.68/32 -> 66.149.149.218/32 => %hold
17 64.83.34.68/32 -> 192.168.2.0/24 => %hold
0 192.168.3.0/24 -> 66.149.149.218/32 => %trap
0 192.168.3.0/24 -> 192.168.2.0/24 => %trap

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up. uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away) conn %default keyingtries=0 disablearrivalcheck=no
authby=rsasig
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand
##############################################################

conn net.local-net.192.168.2.0
also=net.local.right
left=66.149.149.218
leftsubnet=192.168.2.0/255.255.255.0
leftfirewall=yes
leftid=@66.149.149.218
leftrsasigkey=BLABLABLABLA
auto=start
conn gate.local-gate.192.168.2.0
also=gate.local.right
left=66.149.149.218
leftid=@66.149.149.218
leftrsasigkey=BLABLABLABLA
auto=start
conn net.local-gate.192.168.2.0
also=net.local.right
left=66.149.149.218
leftid=@66.149.149.218
leftrsasigkey=BLABLABLABLA
auto=start
conn gate.local-net.192.168.2.0
also=gate.local.right
left=66.149.149.218
leftsubnet=192.168.2.0/255.255.255.0
leftfirewall=yes
leftid=@66.149.149.218
leftrsasigkey=BLABLABLABLA
auto=start
##############################################################
##############################################################
##############################################################
# Attributes for connection #
# local net as left #
##############################################################
conn net.local.left
left=%defaultroute
leftsubnet=192.168.3.0/255.255.255.0
leftfirewall=yes
leftid=@artfxonline.com
leftrsasigkey=BLABLABLABLA
##############################################################
# Attributes for connection #
# local gate as left #
##############################################################
conn gate.local.left
left=%defaultroute
leftid=@artfxonline.com
leftrsasigkey=BLABLABLABLA
##############################################################
# Attributes for connection #
# local net as right #
##############################################################
conn net.local.right
right=%defaultroute
rightsubnet=192.168.3.0/255.255.255.0
rightfirewall=yes
rightid=@artfxonline.com
rightrsasigkey=BLABLABLABLA
##############################################################
# Attributes for connection #
# local gate as right #
##############################################################
conn gate.local.right
right=%defaultroute
rightid=@artfxonline.com
rightrsasigkey=BLABLABLABLA
#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------

Logged

Lloyd Keen

Re: IPSEC 5.6

« Reply #1 on: August 18, 2003, 06:04:29 PM »

Here's a working one with static IP's either end.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand

##############################################################

conn net.local-net.192.168.163.0
also=net.local.left
right=203.213.xxx.xxx
rightsubnet=192.168.163.0/255.255.255.0
rightfirewall=yes
rightid=@domain1.com.au
rightrsasigkey=BLABLA
auto=start

conn gate.local-gate.192.168.163.0
also=gate.local.left
right=203.213.xxx.xxx
rightid=@domain1.com.au
rightrsasigkey=BLABLA
auto=start

conn net.local-gate.192.168.163.0
also=net.local.left
right=203.213.xxx.xxx
rightid=@domain1.com.au
rightrsasigkey=blabla
auto=start

conn gate.local-net.192.168.163.0
also=gate.local.left
right=203.213.xxx.xxx
rightsubnet=192.168.163.0/255.255.255.0
rightfirewall=yes
rightid=@domain1.com.au
rightrsasigkey=blabla
auto=start

##############################################################

##############################################################
# Attributes for connection #
# local net as left #
##############################################################
conn net.local.left
left=%defaultroute
leftsubnet=192.168.10.0/255.255.255.0
leftfirewall=yes
leftid=@domain2.com
leftrsasigkey=blabla

##############################################################
# Attributes for connection #
# local gate as left #
##############################################################
conn gate.local.left
left=%defaultroute
leftid=@domain2.com
leftrsasigkey=blabla

##############################################################
# Attributes for connection #
# local net as right #
##############################################################
conn net.local.right
right=%defaultroute
rightsubnet=192.168.10.0/255.255.255.0
rightfirewall=yes
rightid=@domain2.com
rightrsasigkey=blabla
##############################################################
# Attributes for connection #
# local gate as right #
##############################################################
conn gate.local.right
right=%defaultroute
rightid=@domain2.com
rightrsasigkey=blabla

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------

Logged

ryan

Re: IPSEC 5.6

« Reply #2 on: August 24, 2003, 10:01:10 AM »

Greg,

I too got frustrated trying to get IPSEC to work in 5.6. It worked fine in 5.1.2, but I gave up on 5.6. Im glad I did. Below is a posting I did earlier tonight in this forum. You might look at these options.

Paste:

OpenVPN sounds interesting. I am going to read up on this. Another simple and extremely cheap option is the linksys BEFVP41 firewall vpn router ($129.00 at compusa). These devices can handle up to 70 IPSEC tunnels and are SIMPLE to configure.

The linksys is a simple device that is easy to configure. For my primary location, I prefer a true linux server firewall with a secure DMZ. I have IPCop linux as my central site firewall vpn router. IPCop is every easy and quick to install. Amazingly, you can use the linksys BEFVP41 firewall vpn router as an IPSEC endpoint to IPCop. For me, this is perfect as the linksys is dirt cheap and has no moving parts so it should be reliable for those remote (don't want to travel there) locations. SME is also used as a primary gateway to filter web traffic with squidguard, watch it with sarg, and filter spam before passing email to exchange. This setup works well and is very cost effective.

Now to learn about OpenVPN....

ryan

Logged